 Hi, thank you for joining this presentation. My name is Varun Narayanan and this is a joint work with Shweta Agrawal, Yuvalesh Iyal Kusilovich, Monash Prabhagaran, Vinod Prabhagaran and Alan Rosen. In this presentation, we address the possibility of using one directional communication over a noisy channel to securely compute two-party functionalities. First, let me quickly describe what a channel is. It is a mathematical model of a noisy memoryless communication link. It has a finite set of input and output symbols and it is fully described by the distribution over the output symbols induced by each input symbol. A single use of the channel can be described as follows. When the input is x, the channel outputs symbol y with probability p, y given x. Guaranteeing security while communicating over a noisy channel, as well as exploiting channel noise to facilitate security. Both have been studied extensively, both in core information theory and cryptography. A notable example is the wiretap channel introduced by Weiner in 75. In this model, there is a noisy link from the center to the receiver. And additionally, there is an eavesdropper who is tapping onto this channel over another noisy link. This is modeled by a single input multiple output channel and we are interested in the rate at which the sender can message the receiver while ensuring privacy from the eavesdropper. Another well-studied problem is of using noisy channels to facilitate secure two-party computation. It is well known that only a limited class of functionalities can be computed by two parties who are interacting over a clear channel. This was shown by Kushlevich in 92. But when the parties have access to a non-trivial channel, they can indeed compute every functionality with statistical security. And this works in both the semi-honest and the malicious setting. Here, by a non-trivial channel, we mean a channel that is neither a clear channel or a completely noisy channel where the output is independent of the input. In this talk, we are interested in a more constrained version of this problem where there is no interaction. That is, the communication is only one directional over the provided noisy channel. The model of one-may-secure computation, or OWSC for short, was introduced by Gerg et al. in 2015. The objective of OWSC is to securely compute sender receiver functionalities using one-may communication over a given noisy channel. Due to this one-directionality, we can only expect to compute sender receiver functionalities that take input from the sender and provide an output to the receiver. And such a functionality can itself be thought of as a channel and OWSC as a way of securely implementing a given channel using the channel at hand. The protocol for one-may-secure computation has a simple structure. The sender encodes the input, say, A using an encoder S and sends it to the receiver, possibly making multiple uses of the channel. And the receiver decodes the output of the channel using a decoder R to compute a potential output. Correctness requires that the receiver's output distribution is close to the distribution FFA. Security against the receiver requires that the receiver learns only FFA. This specifically means that the sender cannot simply send her input A to the receiver using a error-correcting code. And the security against the sender requires that the sender only learns that the receiver's output is distributed according to FFA. Hence, specifically, the sender cannot simply sample FFA by herself and send it over to the receiver using an error-correcting code. Formally, correctness and privacy against the sender with epsilon error requires that the joint distribution of the sender's encoding and receiver's output is epsilon close to the joint distribution of the sender's encoding and the output of the functionality. Privacy against the receiver requires that the channel's output can be simulated using only receiver's output, that is, FFA. Intuitively in this model, the secure computation is necessarily carried out by the channel. The encoding and decoding are done to facilitate such a secure computation by the channel. This makes the model interesting from a theoretical point of view as it investigates the secure computing capabilities of a noisy channel. In this, the setting is non-interactive and does not use any setup. Furthermore, many cryptographic tasks can be captured as secure computation of sender-receiver functionalities. This makes the model appealing from a practical point of view. We list a few applications. The previous work on this topic has noted that CK-Proofs using OWSE is the first truly non-interactive CK-Proof. It does not need a common randomness setup and it guarantees desirable properties like non-transferability and deniability. Another application is the generation of random puzzles where no party gets any advantage in solving them. OWSE also helps in constructing randomized blind signatures which have applications in eCache and non-interactive certified PKI generation. Before we venture forth, let me describe some of the channels and functionalities we would encounter going further. A binary erasure channel with erasure probability p takes a single bit input and with probability p it erases the bit and sends it forth without error otherwise. A binary symmetric channel with crossover probability p also takes a single bit input and flips the bit with probability p. Both these channels are often used to model naturally occurring communication links. A random oblivious transfer functionality or ROT for short which can be thought of as a channel 2 is a randomized version of the oblivious transfer functionality. A bit ROT channel takes a pair of bits from the sender and erases exactly one of the bits at random. A string ROT channel works the same way but with input being a pair of strings rather than a bit. Our work builds on the results in the initial work on OWSE from 2015. They showed that neither binary erasure channel nor binary symmetric channel is complete in the OWSE setting. This means that they cannot compute all functionalities with negligible error even against a computationally bounded adversary in the OWSE model. By negligible error we mean that the error should be a negligible function of the number of channel uses made in the protocol. That is the length of the encoding sent by the sender. In this work we extend this result to show that no channel with finite input and finite output alphabet is complete with negligible error even against a computationally bounded adversary. On the positive side, the same work had showed that the family of string ROTs of all string lengths is complete for OWSE with negligible error. We show in this work that the finite bit ROT channel is complete but with inverse polynomial error even against a computationally unbounded and possibly malicious adversary. Finally, they also constructed a zero-knowledge functionality using BEC and BSE in the OWSE model. We generalize this to provide a complete characterization of channels that allow CK functionality in the OWSE model. Our first theorem states that there is a computationally efficient OWSE protocol that makes n uses of the bit ROT channel and realizes a string ROT of length about n to the delta and the protocol is n to the half minus delta secure against a malicious adversary. This theorem establishes that string ROTs can be realized using bit ROT with inverse poly security. A result in the Gergetals paper from 2015 already showed that the class of string ROT is complete in the OWSE model. Hence, bit ROT is complete in the inverse complete in the OWSE model with inverse polynomial error. In the coming slides, we will provide an overview of the OWSE protocol that realizes string ROT using bit ROT channel. Remember that a string ROT functionality takes a pair of strings as input and erases exactly one of the strings uniformly at random. Let us see what a OWSE protocol of string ROT using bit ROT must be like. On input U sub 0, U sub 1, the sender uses an encoder S to encode the input into a sequence of pairs of bits. It then sends each of the pair of bits in the sequence to the receiver using the bit ROT channel. For each pair in the sequence, the bit ROT channel erases exactly one of the bits uniformly at random. The receiver then applies the decoder R on the received sequence and outputs U sub 0 comma BOT or BOT comma U sub 1. Privacy against the sender requires that the sender does not learn which of the two strings have been erased. Privacy against the receiver requires that the receiver knows nothing about the erased string in this output. We will next see the kind of challenges we encounter when we try to build an encoder and decoder that provides these guarantees. Observe that N uses of bit ROT channel is fully described by the set of positions at which the channel has erased the first bit. This erasure pattern on the N-fold use of bit ROT channel is a uniformly random subset of the set 1 to N. Let us take a look at the hypercube of erasure pattern corresponding to N-fold use of the bit ROT. Here, the diamond shape represents a hypercube of erasure patterns. If our OWSE scheme is to be correct with a small error, then we would require that for most of the encodings sent forth by the sender, erasure patterns in about half of the volume of the hypercube results in the receiver decoding the first string. It should decode the second string in the other half of the hypercube. Furthermore, these decodings are correct with high probability. I have called the string a message in this slide. Of course, these decoding regions need not be the upper and lower half of the hypercube, but surely these regions should occupy about half of the volume of the hypercube each. Consider an erasure pattern that is on the boundary between these two regions. It will have neighbors sitting on either regions. And this is a problem when trying to guarantee privacy against the receiver because a curious receiver can mount the following attack. The receiver first decodes the channel's output to obtain one of the strings in the string ROT. Further, it guesses the channel's output for one of the neighboring erasure patterns. With constant probability, the receiver will succeed in this. And if luckily this neighboring erasure pattern decodes the second string in the ROT, it declares success, hence breaking privacy. By a concentration bound, since both regions are almost half the volume, the boundary of the region, which is where this attack succeeds, is of substantial volume. For an n-dimensional hypercube, indeed the probability of falling in this boundary is about one by square root of n. This is the intuition behind the impossibility of OWSC over bit ROT channel with negligible error. In fact, this is impossible even with one by n square error. Also observe that this attack can be mounted even by a computationally bounded adversary. It turns out we could generalize this intuition to work for all finite channels. Now, if we only need a weaker security guarantee being optimistic, we could try to turn this unfortunate situation on its head. We could hope to arrange for the following. There is a region where the first string can be decoded and another region where the second string can be decoded while guaranteeing the privacy of the undecoded string. Both regions occupy about half the volume of the hypercube and in between them there is a gap or a region of transition where the process of erasing one of the strings and unerasing of the other string happens. Intuitively, this gap should be about as wide as the length of the strings so that they can be erased and unerased as we pass through this region intuitively. Our OWSC protocol shows that such a scenario is realizable. We construct a scheme which guarantees that if the bit ROT channel leaves more than n plus n to the delta by two positions unerased in the first index, the receiver gets to decode the first string and learns nothing about the second string. And if the bit ROT channel leaves more than n plus n to the delta by two positions unerased in the second index, the receiver gets to decode the second string and learns nothing about the first string. But whenever the number of erasures in both the indices are in the interval n plus or minus n to the delta by two, the decoder may learn partial information about both the strings. This is the transition region we mentioned in the previous slide. But by anti-concentration, the probability of erasure patterns falling in this gap is n to the delta minus half, which is inverse polynomial n. We provide a construction that guarantees this behavior as long as the length of the strings are about the same as the gap that is n to the delta. By now, you must have guessed what type of primitive we would use in this construction. We would use a RAM secret sharing scheme, but with weaker privacy and reconstruction guarantees than required in the classical definition of secret sharing. We need a n-party secret sharing scheme with one bit share size for a secret of size about n to the delta. We need a reconstruction threshold to be n plus n to the delta by two and secrecy threshold to be n minus n to the delta by two. Requiring constant size shares already makes even RAM secret sharing with perfect reconstruction and secrecy impossible to achieve. On top of this, we are also asking for the gap between reconstruction and secrecy threshold to be inverse polynomial. But on the brighter side, we only need reconstruction privacy errors to be small rather than zero and that too only with high probability for a uniformly random subset of parties. This is because the parties for us are analogous to positions left underraised by the ROD channel. Our construction of the secret sharing scheme closely foregoes a recent work by Lin-Charag Ji et al which showed that if we are willing to tolerate some error in secrecy and reconstruction, secret sharing with one bit shares is possible as long as the secret size is comparable to the gap between reconstruction and secrecy threshold. But this construction does not allow the gap between the reconstruction secrecy threshold to be inverse polynomial. Our construction works around this issue with a simple tweak. Given such an average case RAM secret sharing scheme, the construction is fairly straightforward. The sender secret shares U0 in the first index and U1 in the second index. If the number of erase bits is less than n minus n to the delta by 2 in the first index of the received stream, the receiver reconstructs U0, hopefully getting it right. Note that in this case, the receiver learns nothing about U1 as he has only less than n minus n to the delta by 2 of its shares. The case where the number of erase bits is less than n minus n to the delta by 2 in the second index of the received stream is analogous. The scheme guarantees nothing when the number of erasures fall in the interval n plus or minus n to the delta by 2. But this happens with inverse polynomial probability. Hence, we have a string ROT with inverse polynomial error. This is the construction. Our next result is on OWSC of zero-knowledge groups. Our result shows that in OWSC model, zero-knowledge functionality can be realized using any channel that is not completely clear or completely noisy. If the channel is fully noisy or clear, we cannot realize zero-knowledge without interaction and no setup anyway. The construction is a generalization of the one in 2015 paper by Gargeta. The idea is to encode many copies of oblivious CKPCP and send it to the verifier. We need sufficiently many bits in each of these proofs to be erased by the channel to ensure zero-knowledge and a large enough portion to be revealed so that the verifier can detect if the proof is correct. The bulk of the construction deals with emulating a noisy-eraser channel using the given channel so we can execute this plan. To construct a noisy-eraser channel using the given channel in the OWSC model, we use a geometric interpretation of the given channel. This interpretation helps us in designing statistical tests that help the receiver abort when the sender deviates from the protocol for realizing the erasure channel. Please look at the paper for more details on this construction. In conclusion, the OWSC captures the idea of secure computation using noisy channels. We showed that there exists finite channels that are OWSC complete with inverse polynomial error. And finally, we provided a characterization of channels that can allow zero-knowledge functionality in the OWSC model. An interesting open question is whether we can characterize the channels that are complete for OWSC like the BitROT. That is the end of this presentation. Thank you.